Conventional Proofing Using Photo Based Biometric
A driver's license or passport (sometimes referred to below as an “ID”) contains (i) the picture of a user, (ii) printed information, and (iii) an electronic mechanism to store information. The later can be a mag stripe, a quick response (QR) code, or an electronic chip, etc.
A user typically presents it (i.e. his or her driver's license or passport) to an official we shall call a “registrar” as proof of identity.
In the simplest case, the registrar simply compares the photo on the driver's license or passport to the individual in front of him/her and, if there is a match, assumes identity has been proofed.
In the higher assurance case, the registrar swipes the ID (or scans the QR code, or has a device that talks to the chip), retrieves the data, which is sent to a central database that verifies the information on the card, i.e. on the driver's license or passport. Now the registrar is verifying both the photo and the accuracy of the information on the card.
Authentication Techniques
Out of Band Authentication (OOBA):
Invented fifteen years ago for remote authentication, the concept was that a web service which wanted to authenticate a user, would itself, or via an OOBA service provider, call or send a short message service (SMS) message (now commonly referred to as a text message), to a phone number believed, a priori, to belong to the user. A simple code could be sent, either verbally via such a call or in text included in such an SMS message, to the user who, if he/she entered it into the web service (i.e. entered the code into the web service webpage), proved that he/she had access to that phone number. Several variations of such services are currently widely in use.
Quasi Out of Band Authentication (QOOBA):
OOBA uses the phone network to place a call or send an SMS message for each authentication. More recently, the OOBA concept was extended to use the Internet. A call/SMS/Email is used to activate a smartphone app that then has an “always on” connection to the QOOBA service in the Internet. Just as in OOBA, the web service can send messages to the user, however, without the inconvenience and cost of an individual call/SMS message for each authentication.
3pTALK:
Still more recently, QOOBA was further extended into a service commonly referred to as 3pTALK. In this further innovation, an invisible public key infrastructure (PKI) deployment is done to all parties, and digitally signed and encrypted messages can be sent between any of the parties. An escrow service allows for auditability.
Validating Identity Using Smartphones
Smartphones have several advantages as a security device:
(i) they are ubiquitous,
(ii) people usually quickly realize it if they have misplaced it,
(iii) they can be deactivated remotely,
(iv) they can be traced if used after stolen, and so on.
As we move towards a “walletless world”, countless proposals have been extended to achieve the objective of putting IDs on smartphones. Most involve putting secure chips on the smartphones, and deploying appropriate readers. Other related lower-tech techniques are like QR code based airline boarding passes that many people use on smartphones already.
Objectives
An objective of the present invention is to put IDs on smartphones but, as will be described in detail below, the approach taken to do so is decidedly different from those previously proposed. More specifically, it is an objective of the present invention to have a photo identifier, e.g. of a type as described above, carried on a smartphone and to use whatever device the registrar already has to validate or proof the identity of the smartphone user using the photo identifier.
Another objective of the present invention is to provide a solution that does not require changing out devices at every registrar, based on an assumption that the registrar has a personal computer (PC) or a smartphone with a browser.
It is a further objective of the present invention to achieve as much, or close to as much, of the security and convenience of secure chip based devices.
Additional objects, advantages, and novel features of the present invention will become apparent to those skilled in the art from this disclosure, including the following detailed description, as well as by practice of the invention. While the invention is described below with reference to particular embodiment(s), it should be understood that the invention is not limited thereto. Those of ordinary skill in the art having access to the teachings herein will recognize additional implementations, modifications, and embodiments, as well as other fields of use, which are within the scope of the invention as disclosed and claimed herein and with respect to which the invention could be of significant utility.